How to Restrict Web Access to a Subdirectory in ASP.NET Using Web.config


2 views

In ASP.NET applications, we often have operational directories that contain essential files like:

  • Database connection scripts
  • Configuration files
  • Internal utility classes
  • Temporary storage files

While these files are crucial for application functionality, exposing them publicly creates serious security vulnerabilities.

ASP.NET provides a robust way to control access through the Web.config file. Here's the complete implementation for blocking a directory called "Utilities":

<configuration>
  <location path="Utilities">
    <system.web>
      <authorization>
        <deny users="*" />
      </authorization>
    </system.web>
  </location>
</configuration>

For newer IIS versions, you can combine ASP.NET and IIS authorization:

<configuration>
  <location path="Utilities">
    <system.webServer>
      <security>
        <authorization>
          <remove users="*" roles="" verbs="" />
          <add accessType="Deny" users="*" />
        </authorization>
      </security>
    </system.webServer>
    <system.web>
      <authorization>
        <deny users="*" />
      </authorization>
    </system.web>
  </location>
</configuration>

After implementing:

  1. Try accessing the directory directly via browser
  2. Check the HTTP response code (should be 403 Forbidden)
  3. Verify application functionality isn't affected

For more granular control, consider:

<location path="Utilities/Configs">
  <system.web>
    <authorization>
      <allow roles="Administrators" />
      <deny users="*" />
    </authorization>
  </system.web>
</location>

This configuration allows access only to users in the Administrators role while blocking everyone else.

In ASP.NET applications, it's common to have utility folders containing sensitive files like configuration scripts, data processors, or internal modules that should execute at runtime but shouldn't be directly accessible via web requests. The Web.config authorization system provides a clean solution.

Create or modify the Web.config file in the target subdirectory with this structure:

<configuration>
  <system.web>
    <authorization>
      <deny users="*" />
    </authorization>
  </system.web>
</configuration>

For a "Utilities" subdirectory containing internal PDF generators:

ProjectRoot/
├── Web.config
└── Utilities/
    ├── Web.config
    ├── PdfGenerator.ashx
    └── ConfigLoader.cs

The Utilities/Web.config would contain:

<?xml version="1.0"?>
<configuration>
  <system.web>
    <authorization>
      <deny users="*" />
    </authorization>
  </system.web>
  
  <system.webServer>
    <handlers>
      <remove name="BlockViewHandler"/>
    </handlers>
  </system.webServer>
</configuration>

For more granular control combining IP restrictions and role-based access:

<location path="Utilities">
  <system.web>
    <authorization>
      <allow roles="InternalService"/>
      <deny users="*"/>
    </authorization>
  </system.web>
  <system.webServer>
    <security>
      <ipSecurity allowUnlisted="false">
        <add allowed="true" ipAddress="192.168.1.100" subnetMask="255.255.255.0"/>
      </ipSecurity>
    </security>
  </system.webServer>
</location>

After implementation:

  1. Direct URL access should return 401 Unauthorized
  2. Application functionality using the files internally should continue working
  3. Check IIS logs for any unauthorized access attempts
  • Ensure inheritance isn't blocked by <location allowOverride="false"> in parent config
  • For IIS Express, restart the application after changes
  • Verify the IIS_IUSRS group has read permissions on the physical files